The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.

May 15, 2013—The advent of digital medical record keeping has enabled numerous opportunities for improved and more consistent patient care. Health information exchanges (HIE) represent one such advancement. HIEs enable disparate health care information systems to easily and effectively share digital patient and healthcare information. Their ultimate goal is to provide accurate, timely, and equitable patient care by eliminating the need to rely on slower, more error-prone methods of information exchange, such as telephone, fax, and email. However, the emergence of HIEs has shed light on a number of cybersecurity challenges healthcare providers must address. Cybersecurity incident management is key among them.

With its long history in the field of incident management and resilience, the SEI's CERT Program is well positioned to help HIEs build a cybersecurity incident response capability. To launch this effort, SEI CERT Program researchers have drafted a guide to enable health information exchanges (HIEs) to remain resilient during cybersecurity incidents and disruptions. Developed in response to a request from the Department of Health and Human Services Office of the National Coordinator, the guide addresses the need for maintaining continuity and security in the midst of increasing cyber threats and other disruptions.

The seven-chapter guide is based on the "Service Continuity" process area of the CERT Resilience Management Model (CERT-RMM), a capability model for operational resilience management. "We tailored the information in the CERT-RMM specifically for HIEs," said Sam Merrell, member of the CERT Program engineering staff and leader for the project. "Our team includes people from the CERT Program, who understand cyber security and resilience, as well as representatives from industry, who understand how HIEs work. By bringing together our strengths in both areas, we were able to create a guide that is very specific and very useful for HIEs."

The guide recommends seven activities that range from creating plans for dealing with disruptions to testing and maintaining those plans. The guide also addresses the role of healthcare-specific laws and regulations in relation to maintaining resilience. "HIEs are faced with the same threats and disruptions that affect other organizations, but they also have to navigate those disruptions with HIPAA, state-specific regulations, and other legal considerations in mind. This guide covers those considerations," said Merrell.

Next steps for the guide include a review by subject matter experts. To facilitate this review, CERT will host the CERT Symposium on Cyber Security Incident Management for Health Information Exchanges, which will be held in Pittsburgh on June 26. The symposium will take place at Carnegie Mellon University's Posner Center in Pittsburgh, Pa. The Department of Health and Human Services, whose initial request led to the creation of the resilience guide for health information exchanges, is the symposium's primary sponsor.

Bringing together representatives from a range of health information exchanges (HIEs), the symposium will provide an opportunity to discuss the cyber security challenges facing HIEs and will contribute to improving the overall state of practice. The symposium will also feature presentations by selected experts on topics such as

HIPAA compliance during a cybersecurity incident

cyber incident reporting and communications

cyber security service level agreements in HIEs

legal considerations for HIEs when managing a cybersecurity incident

continuity and how HIEs can support providers' incident management practices